我正在寻找通过SSH调用远程命令的最佳方式。 我创build用户'rpcall',生成新的证书并填写authorized_keys。 更安全一点
from="ip",no-agent-forwarding,no-X11-forwarding,no-port-forwarding,no-pty ssh-rsa ...... 现在用户rpcall无法loginterminal
ssh -l rpc 192.168.12.1 PTY allocation request failed on channel 0
但可以运行任何命令
ssh -l rpc 192.168.12.1 cat /etc/passwd
有什么解决scheme,我可以限制命令执行只有一个处理脚本? 例如/home/rpcall/bin/command.sh
我为此用户setuped bash shell并使用.bashrc强制运行处理脚本,但我不知道如何从ssh调用传递参数。
.bashrc用户rpcall
/home/rpcall/bin/command.sh $params1 $params2 exit
来自其他机器的ssh调用
ssh -l rpcall 192.168.12.1 "param1" "param2"
您可以使用authorized_keys文件来限制命令。 把key放在authorized_keys文件中,然后在用户连接的时候才会运行这个命令。
检查手册页的authorized_keys,这是从该手册页,
command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean chan- nel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash. This option might be useful to restrict cer- tain public keys to perform just a specific operation. An exam- ple might be a key that permits remote backups but nothing else. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environ- ment variable. Note that this option applies to shell, command or subsystem execution.
如果你需要多个命令,你需要基本上设置几组键,并使用不同的键给你不同的命令。
编辑:我只是注意到,原来的命令在SSH_ORIGINAL_COMMAND环境variables中可用,所以你可以确实使用你自己的脚本来处理这个input,做一些聪明的事情。